I read in a PHP book that it is a good practice to use htmlspecialchars and mysqli_real_escape_string in conditions when we handle user inputed data. What is the main difference between these two and where they are appropriate to be used? Please guide me.
Asked
Active
Viewed 6,728 times
8
Naeem Ul Wahhab
- 2,299
- 4
- 29
- 57
-
possible duplicate of [htmlspecialchars or mysql_real_escape_string?](http://stackoverflow.com/questions/3603146/htmlspecialchars-or-mysql-real-escape-string) – ajreal Dec 07 '11 at 16:48
5 Answers
9
htmlspecialchars: "<" to "& lt;" (Replaces HTML-Code)
mysqli_real_escape_string: " to \" (Replaces Code, that has a meaning in a mysql-query)
Both are used to be save against some attacks like SQL-Injection and XSS
EGOrecords
- 1,799
- 2
- 18
- 32
-
-
1htmlspecialchars("< b >ä< /b >") == "& lt; b & lt;ä & lt; /b & gr;" – EGOrecords Dec 09 '11 at 17:00
-
1
7
These two functions are used for completely different things.
htmlspecialchars() converts special HTML characters into entities so that they can be outputted without problems. mysql_real_escape_string() escapes sensitive SQL characters so dynamic queries can be performed without the risk of SQL injection.
You could just as easily say that htmlspecialchars handles sensitive OUTPUT, while mysql_real_escape_string handles sensitive INPUT.
Shai
Shai Mishali
- 7,846
- 4
- 48
- 75
-
1
-
I think @EGOrecords already explained it. Also i recommend reading the manual as it has all the needed examples: http://php.net/htmlspecialchars , http://php.net/mysql_real_escape_string – Shai Mishali Dec 08 '11 at 08:48
5
The two functions are totally unrelated in purpose; the only attribute they share is that they are commonly used to provide safety to web applications.
mysqli_real_escape_string is meant to provide safety against SQL injection.
htmlspecialchars is meant to provide safety against cross-site scripting (XSS).
Also see What's the best method for sanitizing user input with PHP? and Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
-
-
@TheNoble-Coder: Look at the questions I link to. Also, google is your friend. – Jon Dec 07 '11 at 16:52
2
htmlspecialcharacters turns 'html special characters' into code, such as quotes (both single and double), ampersands, and less than/greater than signs. This function is generally used to ensure that content users post on your website doesn't have HTML tags or XSS scripts.
mysql_real_escape_string escapes strings, meaning it adds the \ in front of slashes, quotes(both single and double), and anything else that can mess up a mysql query. This function ensures that no one is executing SQL commands on your server and getting information from the database.
Tim Withers
- 11,701
- 5
- 40
- 66
1
Can I add that truly advanced PHP web programmers nowadays don't do user input validation by hand anymore being it prone to a miriad of possible fallacies but instead usually opt for some PHP framework like CakePHP or CodeIgniter which do user input validation and much more with few lines of code?
dendini
- 3,602
- 9
- 35
- 69
-
1Truly advanced PHP programmers did not become advanced by not knowing what to defend against and how. There's nothing that can go wrong with manually sanitizing input unless you misuse the sanitization facilities. Can I add that misusing said facilities can happen no matter if they are called `htmlspecialchars` or "framework helpers". – Jon Dec 07 '11 at 17:07
-
1As far as I know knowledge is never a bad idea, I just said that user input validation is best done with some well proved and revised functions from a framework developed by PHP veterans than with a custom made function. SO framework helpers I think are a good choice, god forbid not knowing how htmlspecialchars work! – dendini Dec 07 '11 at 20:54